To have better understanding of session leakage incidents like {T264369}, we should try logging whenever the same session starts coming from a different IP. This might end up too noisy to be useful, but is worth a try. Another option is using the <wiki>mwuser-sessionId cookies (used for client-side analytics, not related to the auth system).
I think we did something similar for {T150554} in the past, but I might be misremembering.